feat!: Remove github_token input and use default GITHUB_TOKEN from ca…

…lling workflow The `github_token` input was removed and the action now uses the default `GITHUB_TOKEN` variable that is always available to actions. See https://docs.github.com/en/actions/security-guides/automatic-token-authentication for more information about GITHUB_TOKEN and how it works in Github Actions. BREAKING CHANGE: The github_token input was removed and is no longer needed.
activescott · Jan 28, 2023 · 1829b0a · 1829b0a
1 parent 30e050c
commit 1829b0a
Show file tree

Hide file tree

Showing 11 changed files with 19 additions and 18 deletions.
diff --git a/.github/workflows/approve-deployment.yml b/.github/workflows/approve-deployment.yml
@@ -13,10 +13,9 @@ jobs:
       deployments: read
     steps:
       - name: Auto Approve Deploys
-        # you can use any @vN.N.N tag from https://github.com/activescott/automate-environment-deployment-approval/releases
-        uses: activescott/automate-environment-deployment-approval@v1.0.0
+        # you should use any @vN.N.N tag such as @v1.0.0 from https://github.com/activescott/automate-environment-deployment-approval/releases
+        uses: activescott/automate-environment-deployment-approval@main
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           environment_allow_list: |
             Github
           # the below automatically approves dependabot and anything submitted by the Github user with login "activescott"

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,6 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           environment_allow_list: |
             aws
             gcp

diff --git a/README.md b/README.md
@@ -34,7 +34,6 @@ jobs:
         # you can use any @vN.N.N tag from https://github.com/activescott/automate-environment-deployment-approval/releases
         uses: activescott/automate-environment-deployment-approval@v1.0.0
         with:
-          github_token: ${{ secrets.GH_TOKEN_FOR_AUTO_APPROVING_DEPLOYS }}
           environment_allow_list: |
             aws
           # the below automatically approves dependabot and anything submitted by the Github user with login "activescott"

diff --git a/action.yml b/action.yml
@@ -13,9 +13,6 @@ inputs:
   actor_allow_list:
     required: true
     description: The list of users to automatically approve deploys for. Can be a newline-delimited list of strings.
-  github_token:
-    required: true
-    description: A personal access token (PAT) from a 'required reviewer' and must have the 'repo' scope.
 
 runs:
   using: "node16"

diff --git a/dist/index.js b/dist/index.js
@@ -170,7 +170,6 @@ const core = __importStar(__nccwpck_require__(2186));
 exports.ActionInputNames = {
     environment_allow_list: "environment_allow_list",
     actor_allow_list: "actor_allow_list",
-    github_token: "github_token",
 };
 /**
  * Returns the environment variable name to use for the given input
@@ -248,7 +247,11 @@ function run() {
             core.info(`input environments_to_approve: ${(0, node_util_1.inspect)(environments_to_approve)}`);
             const actors_to_approve = (0, inputs_1.getMultilineInput)("actor_allow_list");
             core.info(`input actors_to_approve: ${(0, node_util_1.inspect)(actors_to_approve)}`);
-            const github_token = (0, inputs_1.getStringInput)("github_token");
+            const github_token = process.env["GITHUB_TOKEN"];
+            if (!github_token) {
+                // my understanding is that the environment should always be there: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+                throw new Error("The GITHUB_TOKEN environment variable was not found.");
+            }
             const repo = github.context.repo;
             const octo = (0, octo_1.createOcto)(repo, github.getOctokit(github_token));
             if (!Reflect.has(process.env, "DEBUG_SKIP_ALL_REQUESTS")) {

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/approver.ts b/src/approver.ts
@@ -97,7 +97,7 @@ async function filterDeploymentsToApprove(
       }
       if (!deploy.current_user_can_approve) {
         core.warning(
-          `The current user (${currentUser.login}) does not have permission to approve deployment for Run '${run.display_title}' (${run.id}) to environment '${deploy.environment.name}'. The github_token input determines the current user and it must be from a 'required reviewer' and must have the 'repo' scope.`
+          `The current user (${currentUser.login}) does not have permission to approve deployment for Run '${run.display_title}' (${run.id}) to environment '${deploy.environment.name}'. The GITHUB_TOKEN secret from the calling workflow determines the current user and it must be from a 'required reviewer' for the environment and must have the 'repo' scope.`
         )
         return false
       }

diff --git a/src/inputs.test.ts b/src/inputs.test.ts
@@ -12,7 +12,7 @@ describe("input", () => {
 
   test("setInputValueInEnvironment should set the environment", () => {
     const KEY_VALUE = "mykey" + randomInteger()
-    inputs.setInputValueInEnvironment("github_token", KEY_VALUE)
-    expect(process.env["INPUT_GITHUB_TOKEN"]).toEqual(KEY_VALUE)
+    inputs.setInputValueInEnvironment("environment_allow_list", KEY_VALUE)
+    expect(process.env["INPUT_ENVIRONMENT_ALLOW_LIST"]).toEqual(KEY_VALUE)
   })
 })
diff --git a/src/inputs.ts b/src/inputs.ts
@@ -3,7 +3,6 @@ import * as core from "@actions/core"
 export const ActionInputNames = {
   environment_allow_list: "environment_allow_list",
   actor_allow_list: "actor_allow_list",
-  github_token: "github_token",
 }
 
 /**

diff --git a/src/main.test.ts b/src/main.test.ts
@@ -13,7 +13,8 @@ test("basic main run", async () => {
   }
   env[getEnvironmentNameForInput("environment_allow_list")] = "prod\ndev"
   env[getEnvironmentNameForInput("actor_allow_list")] = "vanusha\nmisha"
-  env[getEnvironmentNameForInput("github_token")] = "not-an-actual-token"
+  // this is normally injected by github actions host into the environment for actions
+  env["GITHUB_TOKEN"] = "not-an-actual-token"
   env["GITHUB_REPOSITORY"] = "my-owner/my-repo"
   env["DEBUG_SKIP_ALL_REQUESTS"] = "1"
 

diff --git a/src/main.ts b/src/main.ts
@@ -2,7 +2,7 @@ import * as core from "@actions/core"
 import * as github from "@actions/github"
 import { inspect } from "node:util"
 import { findAndApproveDeployments } from "./approver"
-import { getMultilineInput, getStringInput } from "./inputs"
+import { getMultilineInput } from "./inputs"
 import { Octo, createOcto } from "./octo"
 
 async function run(): Promise<void> {
@@ -15,7 +15,11 @@ async function run(): Promise<void> {
     const actors_to_approve = getMultilineInput("actor_allow_list")
     core.info(`input actors_to_approve: ${inspect(actors_to_approve)}`)
 
-    const github_token: string = getStringInput("github_token")
+    const github_token = process.env["GITHUB_TOKEN"]
+    if (!github_token) {
+      // my understanding is that the environment should always be there: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+      throw new Error("The GITHUB_TOKEN environment variable was not found.")
+    }
 
     const repo = github.context.repo
     const octo: Octo = createOcto(repo, github.getOctokit(github_token))